My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Brontok.MO

MEDIUM
MEDIUM
42kB
((Symantek) W32.Rontokbro@mm (OneCare) Win32/Brontok.L@mm)

Symptoms

Unrequested system shutdowns
Some systems tools (Task Manager, Registry Editor, Folder Options) can't be started

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

    When launched the malware creates copies of itself in the locations:
      %USERPROFILE%\%SETTINGS%\%APPDATA%\   folder using one of the next names: winlogon.exe; services.exe; lsass.exe; inetinfo.exe; csrss.exe; smss.exe; smss.exe, services.exe, lsass.exe, inetinfo.exe, csrss.exe   
      %WINDIR%\ShellNew\[random_name].exe    
      %WINDIR%\eksplorasi.exe

   Each copies from %USERPROFILE%\%SETTINGS%\%APPDATA%\ performs its own malware actions when executed.

    The below startup registry keys are added:
       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
         Shell = Explorer.exe "%WINDIR%\eksplorasi.exe"
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
         Bron-Spizaetus = "%WINDIR%\ShellNew\[random_name].exe"
    
    To prevent form being removed by the user,it disables Task Manager, Registry Editor and Folder Options:
       HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explore
         NoFolderOptions = 0x00000001
       HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
         DisableCMD = 0x00000000
         DisableRegistryTools = 0x00000001
       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
         ShowSuperHidden = 0x00000000
         HideFileExt = 0x00000001

     If the current working window contains one of the following strings it will shutdown the system: SECURE, SUPPORT, MASTER, MICROSOFT, VIRUS, HACK, CRACK, LINUX, AVG, GRISOFT, CILLIN, SECURITY, SYMANTEC, ASSOCIATE, VAKSIN, NORTON, NORMAN, PANDA, SOFT, SPAM, BLAH
                   
    The hosts file (%SYSTEM%\drivers\etc\hosts) will be replaced with a downloaded version from:
       http://www.geocities.com/[removed]/Host10.txt  (unavailable)
    It will also download the following  files
       %USERPROFILE%\%SETTINGS%\%APPDATA%\Update.10.Bron.Tok.bin
    from:     http://www.geocities.com/[removed]/BrontokInf10.txt
       %USERPROFILE%\%SETTINGS%\%APPDATA%\Bron.tok.A10.em.bin
    from:     http://www.geocities.com/[removed]/Bron-ID10.txt
                   
    The worm tries to spread itself via email (as attachment)  using an embedded SMTP engine. It will search for mail addresses in files having the extension HTM ,HTML, TXT, EML, WAB, ASP, PHP, CFM, CSV or DOC. The sent mail contains the message
                        Brontok.A
                        By: HVM31
                        -- JowoBot #VM Community --  
 and the attachment has one of the names: winword.exe, kangen.exe, ccapps.exe, syslove.exe,kangen.exe, untukmu.exe, myheart.exe, my heart.exe, jangan dibuka.exe